Craig McDonald 21 September 2018 09:22:52 AEST 8 MIN READ

CEOs need to make cybersecurity part of corporate culture

What is cybersecurity?
If you walked around your office and asked people that question, what sort of answers do you think, you’d get?

I’ve done this experiment in a few offices and peoples answers are usually very similar. They talk about antivirus software and their IT team, which are actually good answers, but the most important aspect of security rarely gets mentioned. Nobody talks about what they do themselves to keep their company’s data secure.

Cybersecurity and people

Securing an organisation’s computer systems hinges on the actions of every single member of a team. I’m talking now to the managers who are reading this because the responsibility for creating a security conscious workforce ultimately falls to you.

The people you supervise are mostly not IT experts. They don’t know what the online security threats to your company are because they think that the IT team take care of it and it’s out of their hands.

If you want your team to participate in making the business safer from hacking and cybercrime, you have to give them the knowledge to make good security choices. It doesn’t just happen; it’s a matter of generating awareness throughout the entire team and empowering them to think of themselves as the first line of defence.
I call this heightened awareness level cybersecurity culture.

Why is cybersecurity culture important?

180902-emailHacking, cybercrime, email fraud; these are some of the biggest external threats to businesses right now.

I’ve written a lot over the last couple of years about the growing problem of online crime. The number and severity of cyber-attacks is climbing dramatically the world over. Studies done by the FBI, cybersecurity vendors and Academics consistently show that more than 90% of cyber-attacks are perpetrated via email which means everyone in a company is a target because everyone has an inbox.

If we’re going to win the battle with cybercrime we have to get real about the nature of the threat. Hackers are using email fraud to break into corporate computer systems because most people working in an office are soft targets. They don’t know what cybercrime looks like. They can’t recognise the tactics and they can be easily manipulated into unwittingly disclosing valuable data like passwords. It’s not their fault; they can’t be expected to think defensively unless they’re given the know-how.
The responsibility is with management to get everyone on the same page and create awareness. There is a real threat, it will affect every person in a company and the only way to combat it effectively is with education, and that starts from the top down.

How to be a pro-security CEO

As a CEO or business owner, it’s up to you to set the agenda for cybersecurity in your organisation.

Creating a cybersecurity culture in a company is a process that begins with awareness. You may not be an expert yourself, but you need to know what policies to put in place to instigate security improvements, and what the risks are to your business.

Cybersecurity is a highly specialised field, so if you have the budget to hire specialist consultants that’s going to be a great investment. If you’re managing a smaller company and have limited resources, it’s vital to engage your leaders, and to allocate your security budget effectively.

Ask your team to suggest ways your company can strengthen its security stance. You should call on all corners of your business, from sales through to operations, marketing, finance and IT. They all have a role to play in protecting your operations, your data, and your firm’s reputation.

Spending on cybersecurity should be a combination of layered software protection and education. Just keeping your antivirus software up-to-date is not going to cut it.

Investigate the security weaknesses of your organisation. Think about the kind of online activity your business is engaged in and where the points of contact are.

Implement at least two separate software systems that protect your assets from compromise. Ideally, don’t rely on software that’s installed on local machines. If the company is hacked, the first thing the attackers will do is seek to disable your locally installed antivirus.

Starting with senior management, instigate a company-wide security education program making team members aware of cybercrime threats.
It’s important that every single person who uses the company’s systems knows what threats to look out for. Educating a workforce about cybercrime and hacking is what engenders a cybersecurity culture in a company.

With the vast majority of cyber-attacks being launched via email inboxes, everyone in a company is in the firing line. We have to give people the understanding of the threat that could be hidden in apparently innocent emails so they can play their part in keeping the business secure.

As managers, as CEOs, if we’re not doing everything we can to give our teams cybersecurity knowledge, then we’re the problem. It’s up to senior management to tackle this problem. We can make the internet much more secure, but we’re never going to eradicate cybercrime. The best defence we have is creating a cybersecurity culture where people are better able to recognise attacks and avoid being made into victims.

Get the facts

Companies are spending more on cybersecurity now than ever before but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.
Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets. (I wrote an article recently talking about some common phishing attack formats and the mechanism of social engineering attacks. If you’d like to learn more about this growing threat category check out the article, here.)

If we’re going to win the battle with cybercrime we have to get real about the nature of the threat.
I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal.

You can download my e-book for free, here.

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.